Overview of SWIFT CSCF v2025

As part of its Customer Security Programme (CSP), SWIFT has updated its security requirements for clients and released the Customer Security Controls Framework (CSCF) v2025. This article provides a summary of the latest changes and guidance on how to prepare.

The financial sector remains a prime target for cybercriminals, leading to continuous updates in compliance standards. Each year, SWIFT revises its CSCF, which can impact payment operations and associated technologies. These updates apply to all organisations using SWIFT. To meet the 2025 requirements, businesses must undergo an independent review to verify that all mandatory controls are in place before completing their attestation.

Understanding the Customer Security Controls Framework (CSCF)

The framework consists of 32 security controls – 25 mandatory and 7 advisory – structured around key objectives to strengthen the security of SWIFT users’ infrastructure. These controls serve as the basis for independent security assessments and the required Know Your Customer-Security Attestation (KYC-SA), which all SWIFT users must complete.

What are the Main New Features of SWIFT CSCF v2025?

The latest update to SWIFT’s Customer Security Controls Framework (CSCF) for 2025 introduces no major changes, with a focus instead on minor adjustments and clarifications to improve understanding and consistency. Unlike previous years, no advisory controls have been elevated to mandatory status, and SWIFT has indicated that the overall requirement level will remain stable after successive increases in recent updates. Uncharacteristically, they have already announced Control 2.4 becomes mandatory in 2026.

While there are no new mandatory controls for the 2025 assessment cycle, there are changes organisations need to make to achieve a compliant audit, particularly:

• Control 2.4A (Back Office Data Flow Security) – Currently advisory, this control is becoming mandatory in 2026, reinforcing the need for stronger segregation between an organisation’s general IT environment and its secure SWIFT infrastructure. SWIFT mandate readiness in 2025. AJC will insist we audit this control in 2025, to help identify any gaps in your compliance.

• Changes for Architecture Type B Users – The definition of “customer connectors” has expanded to include client endpoints connecting to a Service Provider or SWIFT from either a server or a workstation. This could mean that some organisations currently attesting as Architecture B, because a workstation was used to host a connector, may need to reclassify under Architecture A4.

• Clarifications to Key Terminology – Definitions of terms such as “Service Provider” and “General (Enterprise) Environment” have been refined to ensure better alignment and interpretation across assessors and users.

• Windows 10 can no longer be used – For 2025, Windows 10 becomes end of life, and use within the SWIFT secure zone is no longer allowed under Control 2.2. The end of life date occurs during the attestation date range. To avoid confusion, AJC will not accept any use of Windows 10 in the SWIFT secure zone  / by SWIFT users at any point in the 2025 audit window.


While the 2025 update does not introduce immediate mandatory changes, organisations should take a proactive approach, particularly in preparing for the expected elevation of Control 2.4A.

Smaller Changes and Clarifications 



• A4 Customer Connector – Clarification has been provided that the connector performing SFTP or similar transmission technologies can be a server or a workstation and either falls under A4 architecture, whereas previously only servers were stated.

• CREST API use from within a browser is regarded as a SWIFT GUI.

• For architectures A1-A4, all back-office connections indirect from the secure zone must use encryption in the back-office data exchange. These should be modern encryption cyphers and the cyphers need to be demonstrated. An inventory of the connections needs to be held with the encryption method included. In addition, the bridging servers making the indirect connection(s) come into scope for 13 of the existing controls. These are Controls 1.2, 1.3, 1.4, 2.2, 2.3, 2.6, 2.7, 3.1, 4.1, 5.1, 5.4, 6.1 and 6.4. The bridging servers may be outside of the SWIFT secure zone, but remain in scope.
• Control 2.7 Vulnerability Scanning has had its scope clarified and the scans must include both operating systems and applications in the SWIFT secure zone.

• Control 2.8 Outsourced Critical Activity Protection has had its implementation guide amended. For each critical provider in scope, three sets of documents are needed: An SLA agreement, an NDA agreement and a Security Risk Assessment (both at the inception of the service and then ongoing).  As a security risk assessment, due diligence on the organisation’s finances is insufficient.  It must provide confidence that outsourced activities are being done to at least the [technical] standard defined in the SWIFT CSCF standard. Therefore, you will need to audit your suppliers or see other independent audit documents, like ISO27001 certificates or SOC reports, to understand whether their practices are secure.  Evidence of Service Level reviews also remain an ongoing requirement.

• Control 2.9 Transaction Business Controls has a revised emphasis on business controls (rather than technological controls). It is clearer that controls can exist outside of any given SWIFT component, such as daily business reconciliations

• Control 2.11 RMA Business Controls has been simplified and references the central SWIFT RMA portal for the implementation of RMA restrictions.